// For flags

CVE-2024-8986

Information Leakage in grafana-plugin-sdk-go

Severity Score

9.1
*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running `git remote get-url origin`.

If credentials are included in the repository URI (for instance, to allow for fetching of private dependencies), the final binary will contain the full URI, including said credentials.

El SDK del complemento Grafana incluye metadatos de compilación en los binarios que compila; estos metadatos incluyen el URI del repositorio para el complemento que se está compilando, tal como se obtiene al ejecutar `git remote get-url origin`. Si se incluyen credenciales en el URI del repositorio (por ejemplo, para permitir la obtención de dependencias privadas), el binario final contendrá el URI completo, incluidas dichas credenciales.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
Present
Privileges Required
None
User Interaction
None
System
Vulnerable | Subsequent
Confidentiality
High
High
Integrity
None
High
Availability
None
High
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
Present
Privileges Required
None
User Interaction
None
System
Vulnerable | Subsequent
Confidentiality
High
High
Integrity
None
High
Availability
None
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-09-18 CVE Reserved
  • 2024-09-19 CVE Published
  • 2024-09-19 CVE Updated
  • 2024-09-20 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-522: Insufficiently Protected Credentials
CAPEC
  • CAPEC-37: Retrieve Embedded Sensitive Data
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Grafana-plugin-sdk-go
Search vendor "Grafana-plugin-sdk-go"
 Grafana Plugin SDK
Search vendor "Grafana-plugin-sdk-go" for product "Grafana Plugin SDK"
 >= 0.106.0 <= 0.249.0
Search vendor "Grafana-plugin-sdk-go" for product "Grafana Plugin SDK" and version " >= 0.106.0 <= 0.249.0"
en
Affected